What you will learn from this tip: Trying to find good reasons to secure information at rest can be difficult -- even in the name of regulatory compliance. In this tip, information security expert Kevin Beaver highlights several business needs associated with securing data at rest that can help justify your efforts and storage-related security expenditures.

Most organizations, large and small, are affected by some type of law or regulation dealing with information privacy...

By submitting my Email address I confirm that I have read and accepted the Terms of Use and Declaration of Consent.

By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.

You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

and security. As I've highlighted in a previous tip, some of the greatest security risks revolve around information at rest. When it's all said and done, virtually every information privacy and security law and regulation in the U.S., Canada, Europe and elsewhere requires in some way that sensitive information at rest (health information, financial information, financial reporting information, etc.) be protected in reasonable ways. It's really the most fundamental of all protection requirements.

Whether the threat comes in the form of malicious insiders, malware or hackers, businesses can't afford to not protect this information. There's simply too much too lose -- especially when it comes to some of the severe fines and jail time associated with noncompliance with recent regulations.

Various proven safeguards and countermeasures exist for the protection of information at rest, but you can't really implement and manage them effectively without some business justification. Ideally, business needs and risk management should drive the need for information security -- not solely regulatory compliance requirements. In fact, recent surveys show that regulatory compliance is less of a driver for security spending than many anticipated.

Regardless, it's got to be done sooner or later. Here are some business-focused benefits of compliance you can use to sell security within your organization and show that value can be attained by ensuring the proper controls are in place for sensitive information at rest:

Hold data owners responsible for tracking down where sensitive data is stored (it's often in very unlikely places such as workstation temp directories and user's Documents and Settings folders in Windows) and that proper oversight of this data is taking place.

Management needs to show that due care is taken to secure sensitive information on workstations, servers and mobile devices when least privilege permissions and other access controls have been put in place.

Database and storage administrators can feel good about going above and beyond the call of duty by encrypting files, database tables or entire drives that contain information that should not be accessed in an unauthorized fashion.

Accountability (or vindication) follows suit in the event of a breach when proper audit logging is taking place.

If a disaster strikes, information that must be protected is restored with backups that are administered and tested properly.

I'm a big advocate of keeping things simple and practical. Perfecting the security of your data at rest is not necessary at first and will likely prove elusive moving forward. I challenge you to spend your efforts and budget wisely on the latest 'compliant-ready' products and spend more on the security controls you already have at your disposal.

Focus on the areas that need the most attention (likely the corralling of stray information and improper file permissions) and then create a good plan, show that progress is being made and drill down over time. This will show that your organization is doing the right thing, keep employees on the up and up and help executives stay out of trouble. These are payoffs you can't refuse.

About the author: Kevin Beaver is an independent information security consultant, author, and speaker with Atlanta-based Principle Logic, LLC. He has more than 17 years of experience in IT and specializes in performing information security assessments. Kevin has written five books including "Hacking For Dummies" (Wiley), the brand new "Hacking Wireless Networks For Dummies," and "The Practical Guide to HIPAA Privacy and Security Compliance (Auerbach)." He can be reached at kbeaver @ principlelogic.com.

0 comments

Register

Login

Forgot your password?

Your password has been sent to:

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy